input drop all rule - moved by accident!!

Hey there,

I was in a customer router (Winbox) monitoring traffic and doing a review of the firewall rules…

SOMEHOW, when I was ready to close the firewall window – the filter input = drop all rule, got moved to top of list.

I realized this and tried to move it back below the filter accept rules, was too late and lost connection.

Their outside port forwarding / dst-nat rules appear to still be working.

How can I be able to correct this?

onsite visit and connect to router and Use neighbor discovery? Or completely locked out from accessing and require a full reset?

Hi Toxicfusion,

I’m afraid that you will likely have to go to site and connect via console cable.

This is why the Safe Mode is so good…

next time use “safe mode”. better safe than sorry.
“lol i dont use safe mode also”
tell us what u finally did

Absolutely love safe mode. However, unfortunately by default winbox does not connect via safe mode

When i make any config changes, I’ll enable safe mode prior to changes. However, it was one of those – let me watch some VOIP traffic and look over my firewall rules. As last night I made some rule changes and more traffic shaping, so was watching on business hours traffic.

access via console… its a RB2011 device

There is a Mini USB port in front, can connect with mini-usb and use terminal?

Idea’s?

RB2011’s have an RJ45 Cisco type serial connection.

there should be an option in winbox start screen like “connect in safe mode”

there is an rj45 on the back or just use winbox to a mac address if you are plugged into one of the ethernets

Just connect via MAC and you can bypass the (IP) firewall.

Assuming you haven’t disabled WinBox interface under MAC Server

Just had to say that I’m proud to have ninja’d 2 posts!

Thanks guys!

I’m aware of the Winbox MAC connect (Neighbor) This was my first guess to access the device, but was uncertain if it would 100% bypass the firewall filter rules.

I have a cisco style rj45 console cable. Will go onsite and make it happen.

FYI: I’m using Winbox version 3.7 – there is no option to connect with safemode

also newer versions of winbox do not have the ‘Connect To:’ drop list for finding MicroTik’s via Mac addr, so have to use Neighbor.

safe mode is avalaible after you connect to a site. top left.
my #7 post was a suggestion to mikrotik to place an option before you connect to a site

Correct - which I use when I make config changes. Just waiting for feature request to be added to winbox for ‘connect with safemode’

Will let you guys know if i’m able to regain access

You guys were on fire today replying to post . Appreciated!

update:

I just tested this scenario with a spare mikrotik i have in the office. Winbox worked perfectly using mac address, didnt even need to configure an IP on the laptop NIC interface.

However, I tried a tripp-lite USB to Rj45 console cable – this doesnt appear to work for console? Nothing displays, baud 9600

default baud is 115200 on Mikrotik

I’ve got out of sticky situations before by using the MAC telnet if your connected via layer 3. If not working fromm winbox try using a teminal from a neighbour router that you can access on the same layer3 network.

Often you can access because it bypasses the IP side of the firewall just using mac address

Simply connect over IPv6. Ok, I know I’m not being helpful, because if you had it, you’d know to use it. So just for future reference, maybe it will inspire someone. It’s really great thing to have, if for nothing else, then for situations like this. No matter how much you mess up one protocol’s firewall, it does not affect the other one.

Thanks everyone!

Noted about the baud rate needing to be 115200…

Customer is all set, connected using MAC address method within Winbox

NOTE: we do provide them fiber to their office, however I have telnet service disabled on the customer MikroTiks

I’ll keep this in mind for future though!!